Merge branch 'maint-0.3.0'

2024-11-24 04:13:28 +01:00 · 2017-02-24 11:37:04 -05:00 · 2017-02-24 11:37:04 -05:00 · d73755e36e
commit d73755e36e
parent efa5bbaba0 4ed10e5053
4 changed files with 16 additions and 5 deletions
--- a/changes/bug21553
+++ b/changes/bug21553
@ -0,0 +1,7 @@
+  o Minor bugfixes (hidden service):
+    - When encoding a legacy ESTABLISH_INTRO cell, we were using the sizeof()
+      on a pointer instead of real size of the destination buffer leading to
+      an overflow passing an enormous value to the signing digest function.
+      Fortunately, that value was only used to make sure the destination
+      buffer length was big enough for the key size and in this case it was.
+      Fixes bug 21553; bugfix on tor-0.3.0.1-alpha.
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@ -3174,8 +3174,9 @@ count_intro_point_circuits(const rend_service_t *service)
   of bytes written. On fail, return -1.
 */
 STATIC ssize_t
-encode_establish_intro_cell_legacy(char *cell_body_out, crypto_pk_t *intro_key,
-                                   char *rend_circ_nonce)
+encode_establish_intro_cell_legacy(char *cell_body_out,
+                                   size_t cell_body_out_len,
+                                   crypto_pk_t *intro_key, char *rend_circ_nonce)
 {
  int retval = -1;
  int r;
@ -3202,7 +3203,7 @@ encode_establish_intro_cell_legacy(char *cell_body_out, crypto_pk_t *intro_key,
  len += 20;
  note_crypto_pk_op(REND_SERVER);
  r = crypto_pk_private_sign_digest(intro_key, cell_body_out+len,
-                                    sizeof(cell_body_out)-len,
+                                    cell_body_out_len - len,
                                    cell_body_out, len);
  if (r<0) {
    log_warn(LD_BUG, "Internal error: couldn't sign introduction request.");
@ -3313,8 +3314,9 @@ rend_service_intro_has_opened(origin_circuit_t *circuit)
  /* Send the ESTABLISH_INTRO cell */
  {
    ssize_t len;
-    len = encode_establish_intro_cell_legacy(buf, circuit->intro_key,
-                                        circuit->cpath->prev->rend_circ_nonce);
+    len = encode_establish_intro_cell_legacy(buf, sizeof(buf),
+                                      circuit->intro_key,
+                                      circuit->cpath->prev->rend_circ_nonce);
    if (len < 0) {
      reason = END_CIRC_REASON_INTERNAL;
      goto err;
--- a/src/or/rendservice.h
+++ b/src/or/rendservice.h
@ -130,6 +130,7 @@ STATIC int rend_service_poison_new_single_onion_dir(
                                                  const rend_service_t *s,
                                                  const or_options_t* options);
 STATIC ssize_t encode_establish_intro_cell_legacy(char *cell_body_out,
+                                                  size_t cell_body_out_len,
                                                  crypto_pk_t *intro_key,
                                                  char *rend_circ_nonce);
 STATIC void prune_services_on_reload(smartlist_t *old_service_list,
--- a/src/test/test_hs_intropoint.c
+++ b/src/test/test_hs_intropoint.c
@ -489,6 +489,7 @@ helper_establish_intro_v2(or_circuit_t *intro_circ)

  /* Use old circuit_key_material why not */
  cell_len = encode_establish_intro_cell_legacy((char*)cell_body,
+                                                sizeof(cell_body),
                                                key1,
                                                (char *) circuit_key_material);
  tt_int_op(cell_len, >, 0);